From: <imnozi@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: Re: [Thread split] nftables rule optimization - dropping invalid in ingress?
Date: Sun, 21 Apr 2024 16:13:27 -0400 [thread overview]
Message-ID: <20240421161327.626f4a61@playground> (raw)
In-Reply-To: <20240421175000.5fa666d7@localhost>
On Sun, 21 Apr 2024 17:50:00 -0000
"William N." <netfilter@riseup.net> wrote:
> On Sun, 21 Apr 2024 03:45:31 +0000 Eric wrote:
>
> > I'd be very interested in seeing some statistics on how many actual
> > invalid packets you see on a live link. Stick some counters in there
> > and collect dropped versus passed packets...
>
> This particular system is a desktop one (rebooted often), so that kind
> of stats won't make any sense.
>
> > My naive guess would be there are only tiny percentage of rejected
> > packets.
>
> Without a particular attack - quite possible. However, it is always
> good to learn what is better/worse/futile.
>
[Again, this is iptables; your mileage with nftables may vary.]
From my firewall that's been up 30 days; I think these are reasonable numbers. It shows the total packets that passed PREROUTING, the packets from internet dropped due to my blocklists (which probably includes at least some INVALID packets), and the remaining INVALID packets from internet and internal sources. These two are the only DROPs in PREROUTING. Ballpark, about 0.5% of the packets are INVALID. Small, but not necessarily 'tiny'.
-----
*mangle
:PREROUTING ACCEPT [728638:3046835361]
[43686:2232175] -A PREROUTING -i eth3 \
-m set --match-set blockSetHost src -j blDrop
[37712:1840302] -A PREROUTING \
-m state --state INVALID -j invdrop
-----
Note that dropping them at the top of PREROUTING prevents them from passing through the rest of the rules in PREROUTING (and mangle), and rules in nat, and any rules in filter they might hit before finally being DROPped.
N
prev parent reply other threads:[~2024-04-21 20:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240420084802.6ff973cf@localhost>
2024-04-20 18:32 ` [Thread split] nftables rule optimization - dropping invalid in ingress? imnozi
[not found] ` <20240420183750.332ffbad@localhost>
[not found] ` <rNVqfcHpj4XyJlxISjkKDdyRHbyPqlyF8MOHq07xz1_V3vc99maPQTsAuxgA2PZNbvff2dUfl2s0YdJBI4muw8A7FiMeKu2KvnjK0fG7kYo=@proton.me>
[not found] ` <20240421175000.5fa666d7@localhost>
2024-04-21 20:13 ` imnozi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240421161327.626f4a61@playground \
--to=imnozi@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).